> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to use Actions with roles-based access control (RBAC).

# Sample Use Cases: Actions with Authorization

Auth0 [Actions](/docs/customize/actions) allow you to modify or complement the outcome of the decision made by a pre-configured [authorization policy](/docs/manage-users/access-control/authorization-policies) so that you can handle more complicated cases than is possible with [role-based access control (RBAC)](/docs/manage-users/access-control/rbac) alone. Based on the order in which they run, Actions can change the outcome of an authorization decision prior to permissions being added to the <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=Access+Token">Access Token</Tooltip>. They can also allow you to customize the content of your tokens.

## Allow access only on weekdays for a specific application

Let's say you have an application that you want to make sure is only accessible during weekdays. [Create a new Action](/docs/customize/actions/write-your-first-action), and select the `Login / Post Login` trigger because you’ll be adding the Action to the Login flow. Copy the following code to the Actions Code Editor:

```js lines theme={null}
exports.onExecutePostLogin = async (event, api) => {
  if (event.client.name === "APP_NAME") {
    const d = new Date().getDay();

    if (d === 0 || d === 6) {
      api.access.deny("This app is only available during the week.");
    }
  }
}
```

Finally, add the Action you created to the [Login Flow](https://manage.auth0.com/#/actions/flows/login/). To learn how to attach Actions to Flows, read the "Attach the Action to a flow" section in [Write Your First Action](/docs/customize/actions/write-your-first-action).

If a user attempts to access the application during the weekend, access will be denied, even if they authenticate and have the appropriate privileges.

## Allow access only to users who are inside the corporate network

Let's say you want to allow access to an application, but only for users who are accessing the application from inside your corporate network. [Create a new Action](/docs/customize/actions/write-your-first-action), and select the `Login / Post Login` trigger because you’ll be adding the Action to the Login flow. Copy the following code to the Actions Code Editor:

```js lines theme={null}
const ipaddr = require("ipaddr.js");

exports.onExecutePostLogin = async (event, api) => {
  const corpNetwork = "192.168.1.134/26";
  const currentIp = ipaddr.parse(event.request.ip);

  if (!currentIp.match(ipaddr.parseCIDR(corpNetwork))) {
    api.access.deny("This app is only available from inside the corporate network.");
  };
};
```

Finally, add the Action you created to the [Login Flow](https://manage.auth0.com/#/actions/flows/login/). To learn how to attach Actions to Flows, read the "Attach the Action to a flow" section in [Write Your First Action](/docs/customize/actions/write-your-first-action).

If the user is outside the corporate network, they will be denied access even if they successfully authenticate and have the appropriate privileges.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  To use an `npm` library like `ipaddr.js`, you must add the library as a dependency to the Action. To learn more, read the "Add a dependency" section in [Write Your First Action](/docs/customize/actions/write-your-first-action).
</Callout>

## Deny access to anyone calling an API

Let's say you want to deny access to all users who are calling an API. This means that you need to deny access depending on the `identifier` value for your API, which you can find in the **API <Tooltip tip="Audience: Unique identifier of the audience for an issued token. Named aud in a token, its value contains the ID of either an application (Client ID) for an ID Token or an API (API Identifier) for an Access Token." cta="View Glossary" href="/docs/glossary?term=Audience">Audience</Tooltip>** field of your API at [Auth0 Dashboard > Applications > APIs](https://manage.auth0.com/#/apis). [Create a new Action](/docs/customize/actions/write-your-first-action), and select the `Login / Post Login` trigger because you’ll be adding the Action to the Login flow. Copy the following code to the Actions Code Editor:

```js lines theme={null}
exports.onExecutePostLogin = async (event, api) => {
  // In Actions, an API will be referred to as a Resource Server.
  const { identifier } = event.resource_server || {};
  if (identifier === "https://api.example.com") {
    api.access.deny("end_users_not_allowed");
  }
}
```

Finally, add the Action you created to the [Login Flow](https://manage.auth0.com/#/actions/flows/login/). To learn how to attach Actions to Flows, read the "Attach the Action to a flow" section in [Write Your First Action](/docs/customize/actions/write-your-first-action).

In this case, the `identifier` value for the API is `https://api.example.com`, so this is the audience we will refuse.

## Add user roles to tokens

To add user roles to Auth0-issued tokens, use the `event.authorization` object along with the `api.idToken.setCustomClaim` and `api.accessToken.setCustomClaim` methods. [Create a new Action](/docs/customize/actions/write-your-first-action), and select the `Login / Post Login` trigger because you’ll be adding the Action to the Login flow. Copy the following code to the Actions Code Editor:

```js lines theme={null}
exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'https://my-app.example.com';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
    api.accessToken.setCustomClaim(`${namespace}/roles`, event.authorization.roles);
  }
}
```

Finally, add the Action you created to the [Login Flow](https://manage.auth0.com/#/actions/flows/login/). To learn how to attach Actions to Flows, read the "Attach the Action to a flow" section in [Write Your First Action](/docs/customize/actions/write-your-first-action).

Remember:

* The <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip> returned to the requesting application is built and signed at the end of the trigger processing. The final, signed JWT is not accessible in an Action.

## Deny access to specific JA3/JA4 fingerprints

The `event.security_context` object contains the JA3/JA4 fingerprint values for the current transaction.

[Create a new Action](/docs/customize/actions/write-your-first-action), and select the `Login / Post Login` trigger because you’ll be adding the Action to the Login flow. Copy the following code to the Actions Code Editor:

```js lines theme={null}
exports.onExecutePreUserRegistration = async (event, api) => {
  const clientJa4 = event?.security_context?.ja4;
  console.log('[ACTION]', {clientJa4});
  const badFingerprints = ['t13d1517h2_8daaf6152771_b6f405a00624','t13d1516h2_8daaf6152771_d8a2da3f94cd'];
  if (clientJa4 && badFingerprints.includes(clientJa4)){
    api.access.deny('suspicious_tls_fingerprint', 'Your TLS fingerprint has been flagged as suspicious');
  }
};
```

Finally, add the Action you created to the [Login Flow](https://manage.auth0.com/#/actions/flows/login/). To learn how to attach Actions to Flows, read the "Attach the Action to a flow" section in [Write Your First Action](/docs/customize/actions/write-your-first-action).